I previously posted this on the GitHub issue tracker which has now been removed (including my post), so I’m posting it here again.
discourse-setup uses sed to place the user provided SMTP password in the configuration file. The user input is used as a regular expression by sed (-e) there, while it is really just a plain text string.
This works as long as the password does not contain any characters which sed would interpret as an expression / command.
When it fails to work, the user may get to see a sed error message in the discourse-setup output, and installation may fail.
This is potentially a security issue, since sed might end up executing the input string (///e).